Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Do Sonicwall CFS work with SSO on traffic from proxy

Does somebody knew if Sonicwall  CFS work with SSO on traffic from proxy (based on XFF). There are documents on Sonicwall saying that it works but it It did not work for me. I opened two cases with Sonicwall support. They checked and rechecked configuration. We lost over a month without ay progress. But most important they do not say if it work at all. Firewall and different proxy is quite common in biger networks so I hope someone have experience with it.

Category: Mid Range Firewalls
Reply

Answers

  • Hi @JERZYPAS,

    Thank you for visiting SonicWall Community.

    If SonicWall is able to recognize the IP address and username from the workstation even if its coming via proxy, SSO auth should work. If its still not working for you then, could you please explain your network architecture/setup and requirement? We can deep dive and check through the working possibilities.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • jerzypasjerzypas Newbie ✭

    Hello SARAVANAN


    Thank You for Your interest.


    Configuration is typical:

    NAS5650 and SSO (all newest versions).

    In p2p-lan (interface behind this are users vlans) is web proxy (Forcepoint).

    SSO is working correctly - we using it

    for user who do not use proxy

    Forcepoint - sets XFF correctly. We see it in packet captures. Additionally we see some packets prom proxy registered on

    Analytics with correct username.


    The problem is that our Sonicwall do not filter content traffic when it is from web proxy (Forcepoint) and when we want to filter by AD user group

     Exactly: when we used filtering by user groups, Sonicwall do not authenticate user with SSO when traffic is from proxy. According to documentation It should, on condition that proxy add XFF field. Capture of packets shows that XFF is set correctly by proxy, so the problem is in my opinion in Sonicwall.

     

    PC Sonicwall (CF roules with user groups) -->WAN  content filtering works OK

    PC proxy -->Sonicwall (CF roules without user groups) -->WAN  content filtering works OK

    PC proxy -->Sonicwall (CF roules with user groups) -->WAN  content filtering do NOT work

     

     We rechecked configuration of Sonicwall and Directory Connector with SSO with Sonicwall support several times. We also checked it on several PCs and users to eliminate the possibility that reason is connected to users or PCs. We confirmed that SSO is working properly: when the traffic is from browser configured without proxy, Sonicwall correctly identifies the user, checks group membership and apply content filtering according to configured rules. We also confirmed that when we do not select user group, filtering is ok. To eliminate possible SSL-DPI deciphering effects we tested also on clear http sites (ew. Apache.org, myipaddress.com).

      In configuration of SSO Enforcement we have "Bypass SSO" for proxy. I guess that it to bypass SSO on traffic from proxy, but XFF checking on packets prom proxy and consequently SSO is still on. But is it only my guess. The other option is " Trigger SSO but bypass holding packets while waiting for .." or no bypass at all. I asked about before without answer and tried all options without result. It would be fine to be sure what option to use.

     I documentation is that proxy must be in WAN on DMZ. Our proxy was in DMZ (exactly the same problem). But doc is vague and I am not sure if it requirements applies only to Automatic Proxy Forwarding (which is not our case). In help for User Proxy Servers we have information about Internal Proxy Servers with information that it for "user web requests which go from proxy before reaching Sonicwall".

    So we moved proxy from DMZ to P2P-LAN. It could solve as well some problems with DPI-SSL (when proxy is in DMZ traffic excluding from deciphering is not very elastic). But problem stays the same as when proxy was in DMZ.

     

Sign In or Register to comment.